IS

MOD:
X-X/Y*Y

Dec:

Crypto

P+k mod 26 - simple

A-Za-z1-0 !?.

0-25,26-51,52-61, is 62, . is 65

Most common is considered space as 62

Space and e are most common

C=aP+b mod 26

simultaneously solved and find a and b

 RSA

M^e mod n

Message=13

11*7

13^7 mod 77

n=p*q

decrypt:

inverse of e mode(p-1)(q-1)

inverse of 7 mod 60 which is = 43

7(0) mod 60

....

43 = 1

7*43 mod 60

301-301 / 60*60= 1

C^d mod n = 62^43 mod 77 = 13

Forensics
Key/tabs etc, initiate a shortcut file, it logs all the actions you perform and stores in app
data

Stores:

Full file path, network number created on the source, serial number, attributes, size,
creation time, hotkeys

Lnk has these things.

Time stamps have 2 types normal and unix. Starts from utc is 1 jan 1601 and 1jan 1970

Forensics2
Window file have hive files that are binary storing registry of loggin everything on window
files

File access time is updated

Hive type: classes root, current user, local machine, user, current config

Subkeys are under main keys, once clicked, timely modified on backend

USBSTOR: info on any usb connection done to your device, with all logs of what
write/read/delete etc used by a forensic examiner only then it can be accessed

Identify malicious auto run: look for sus files

Sus file: first
shell bag: left and right accessed via explorer

Recent docs: recent doc opened, file menu, and local disk

- Distance of buffer base and return address

- Return address memory loc and shellcode address
- GDb= breakpoint tells address
- Gdb p/d 0xbfffeaf8 – 0xbfffea8c

CRYPTOGRAPHY:

Reverse Eng.:
Oht2

MALWARE:

Capa analyses if its malware or not

dll files it
scanned,

processes
shown:
check
mutex,
cerate,
create
process

comms
shows

connection, send receive data, and protocol has communication, client to server data
is sent

then a process is being made

in IDA:
View-> strings

To find variables:

Create processs, portnumber, SADFHUHF

What is the mutex created to ensure that the malware is not loaded twice?

Ans> SADFHUHF
 opening mutex

Sha256 code-> virus total

Shows 47 hasnt flagged it as mal

Details shows each history of the file and the names of the malware and imports it used
and open/create mutex and processes
What IP / Port number of C2 server does it connect to?

Ans>127.26.152.13: 80

ip address called

Used for connection building: inet_addr

internet protocol being passed and pushing hostshort 50h

to 80

Htons: to connect to server helps

What beacon is sent upon connection?

Ans>hello

Flag 0 to not detect

Suggest a method to run this DLL.

Ans> using this command Rundll32.exe

Mutex created?

IP?

Port?

Commands?
The sequence of hexadecimal values you've provided can be translated into ASCII
characters to understand its meaning. Let's break it down:

```

41 42 43 2D 31 32 33 34 35 36 00 00 53 00 6F 00

```

### Step-by-Step Breakdown

1. **Convert each hexadecimal value to its ASCII equivalent:**

- `41` -> `A`

- `42` -> `B`

- `43` -> `C`

- `2D` -> `-`

- `31` -> `1`

- `32` -> `2`

- `33` -> `3`

 - `34` -> `4`

- `35` -> `5`

- `36` -> `6`

- `00` -> NULL (non-printable, typically indicates the end of a string)

- `00` -> NULL

- `53` -> `S`

- `00` -> NULL

- `6F` -> `o`

- `00` -> NULL

### Combining the Characters

Combining the ASCII characters from the sequence:

```

A B C - 1 2 3 4 5 6 (NULL) (NULL) S (NULL) o (NULL)

```

The NULL characters are non-printable and usually signify the end of a string or are used
as padding. Ignoring these, the readable part of the sequence is:

```

ABC-123456So

```

### Summary

The hexadecimal sequence `41 42 43 2D 31 32 33 34 35 36 00 00 53 00 6F 00`

translates to the ASCII string:
```

ABC-123456So

```

The NULL characters (`00`) are non-printable and are typically used for string
termination or padding in various contexts.

PDF:

Updated showed in versions

Risky pdf words
Rels

Malicious target vtaurl

.rar, .docx
Steganography
Hidden messages

Null cipher: normal paragraph has hidden meaning

I wanted to go feed the dog

Images

Network packets

1. Hide ‘a’ use ASCII

2. Multiply axconstant k
3. Send tcp
4. Crafted w initial sequence number divides by k and finds ‘a’

What are Macros?

Definition: Macros are sequences of commands or code written to perform automated

tasks. They are commonly used in applications like Microsoft Word, Excel, and Access.

Purpose: They help in automating repetitive tasks, such as formatting documents,

performing complex calculations, or managing data.

Security Risks Associated with Macros

Macro Malware: Malicious macros can be embedded in documents. When the
document is opened and the macro is executed, it can perform harmful activities, such
as downloading malware, stealing data, or gaining unauthorized access to systems.

Social Engineering: Attackers often use social engineering tactics to trick users into
enabling macros in a document, usually by sending emails with seemingly legitimate
attachments and urging recipients to enable macros to view the content.

This slide demonstrates how different bullet points and indentation levels can be used
to structure information in a way that hides or obscures data within documents. This
might be particularly relevant in the context of information security for hiding metadata
or sensitive information within seemingly benign files.
Shell code:

Virtual protect executes

• unsigned char shellcode[] = "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D

.................";: This line defines an array of unsigned characters (bytes) containing
the shellcode. Shellcode is typically a series of machine code instructions that the CPU
executes directly.
• DWORD flOldProtect;: Declares a variable to store the old protection settings of the
memory page.
• VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE,
&flOldProtect);: This Windows API function changes the protection on a region of
memory to be executable and writable, which is necessary to run shellcode. The shellcode
array is made executable by changing its memory protection settings.
• (*(void (*)())&shellcode)();: This line casts the shellcode array to a function
pointer and calls it, executing the shellcode.

Injection

1. PID find
2. Open process
3. Buffer reserved
4. Write shell code in buffer
5. Create remote thread to inject in another process
open process is existing

Create is making a new process

• • HANDLE processHandle; HANDLE remoteThread; PVOID remoteBuffer;:

Declares handles for the process, the remote thread, and a pointer for the remote
buffer.

• Process Injection:

• processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE,

DWORD(atoi(argv[1])));: Opens a handle to the target process with all access
rights. The process ID is passed as a command-line argument and converted to a
DWORD.
• remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode,
(MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);: Allocates memory
in the remote process. The allocated memory is marked as executable and writable.
• WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof
shellcode, NULL);: Writes the shellcode into the allocated memory of the remote
process.
• remoteThread = CreateRemoteThread(processHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);: Creates a remote
thread in the target process that starts execution at the beginning of the allocated
memory (which contains the shellcode).
• CloseHandle(processHandle);: Closes the handle to the target process.
• File Selection:

• Pick any file: The process begins by selecting a known executable file (exe), Word
document, PDF, etc. This file will serve as the carrier for the shellcode.

• Add Shellcode:

• Add shellcode to it: Inject the malicious code into the chosen file.
• Add new code section .malware: Create a new section in the file specifically for the
malicious code.
• Add main address .. Overwrite with .malware address .MAIN_: Modify the file’s
main execution address to point to the newly added malware section.

• Reverse Shell Setup:

• Run nc or any reverse shell handler on remote computer: Use tools like Netcat
(nc) or other reverse shell handlers to listen for connections from the compromised
system.

• Phishing and Control:

• When target gets phished, you have C2 control: Once the target is tricked into
opening the compromised file (phishing), the attacker gains Command and Control
(C2) over the system.
• Send next stage payload to run: Deploy additional payloads or stages of the attack.
• Install more remote software: Install additional malicious software to further control
or exploit the system.
• Install keyloggers etc: Set up keyloggers to capture keystrokes and other sensitive
information.
• Exfiltrate passwords from chrome: Steal saved passwords from the Chrome
browser.
 • Exfiltrate registry artifacts to identify important files: Extract registry data to find
important files on the system.
• Encrypt them for ransom: Encrypt the victim’s files and demand a ransom for their
decryption.

Buffer:

• Stack Frames: Each function call creates a new stack frame, which includes the function’s
local variables, parameters, return address, and a pointer to the previous frame.
• Call Stack: The stack that keeps track of function calls and returns addresses, allowing the
program to return control to the correct location after a function completes.

Turn off address randomization

Set to root id (access to run everything)

Explanation

Stack Before the Buffer Copy

1. Arguments: The arguments passed to the function.

2. Return Address: The address where the program should return after the function call
completes.
 3. Previous Frame Pointer: Points to the base of the previous stack frame.
4. buffer[99]: A local buffer array allocated on the stack. If the input data exceeds the
buffer’s allocated space, it will overflow into adjacent memory locations.

Buffer Overflow Process

• When data is copied into the buffer without proper bounds checking, it can overwrite
adjacent memory, including the return address and frame pointers.
• By carefully crafting the input data, an attacker can insert malicious code into the
overflowed buffer and overwrite the return address with the address of this malicious
code.

Stack After the Buffer Copy

1. Malicious Code: The attacker’s code that has been injected into the buffer.
2. New Return Address: The overwritten return address now points to the malicious
code.

Key Concepts

Buffer Overflow

• Buffer Overflow: Occurs when data exceeds the allocated memory space of a buffer
and starts overwriting adjacent memory locations. This can lead to unpredictable
behavior, crashes, or potential code execution.

Exploiting Buffer Overflow

1. Inject Malicious Code: Attacker inputs more data than the buffer can hold, including
malicious code.
2. Overwrite Return Address: The overflow overwrites the return address with the
address of the malicious code.
3. Execute Malicious Code: When the function returns, it jumps to the malicious code
instead of the intended return address.

Prevention

• Bounds Checking: Ensure all buffer operations check the bounds to prevent
overflow.
• Safe Functions: Use safe library functions that limit the amount of data copied into
buffers (e.g., strncpy instead of strcpy).
• Stack Canaries: Use stack protection mechanisms that detect changes to the stack
frame, such as stack canaries.
• Address Space Layout Randomization (ASLR): Randomizes the memory addresses
used by system and application processes, making it harder for an attacker to predict
where the malicious code will be injected.
(return address – base address) +4 (32 bit system) = address to add shellcode

Gdp: breakpoint

Ebp is the return address

1011/1111/1111/1111/1110/1010/111 1/0(10)00

1011 1111 1111 1111 1110 1010 1000 1100

11111100

10(binary)->decimal(2)

2-1=1 => 1

Buffer Overflow and NOP Sled

Buffer Overflow:
In a buffer overflow attack, the attacker overwrites the buffer and adjacent memory
locations, including the return address.

The goal is to overwrite the return address with a pointer to the malicious code.

Challenges:

Predicting the exact address to which the return address should be overwritten can be
difficult.

An inaccurate guess can lead to a failed attack, as the return address may not point
exactly to the start of the malicious code.

NOP Sled (No Operation):

NOP stands for "No Operation". It is an instruction that does nothing and simply
advances the execution to the next instruction.

By filling the buffer with multiple NOP instructions before the malicious code (creating a
NOP sled), the attacker increases the chances of successful execution.

When the return address points to any location within the NOP sled, the CPU will
continue executing NOPs until it reaches the malicious code.

Increased Success Rate:

Without NOP:

If the return address is inaccurately guessed, it may not point exactly to the start of the
malicious code, leading to a failed attack.

With NOP:

Even if the return address is not perfectly accurate, it will likely point somewhere within
the NOP sled. The NOP sled then guides the execution flow to the malicious code,
resulting in a successful attack.
 • Length of cipher is twice than that of plain text (pairs)

• Cipher is in hex format

• For single char plaintext, cipher is just ASCII (hex) added to 80h

hex= ascii+80h

• Every char in cipher depends on single next char to the right

• No dependence on chars to the left

• In case of similar chars, repeated chars on left are always 0

• Similarity check is XOR

Decipher 0301e3

Start from right to left

E3=ascii+80

E3-80h= ascii value of plaintext

63 ascii is c
e3 – 80 = 63h ‘c’

63h XOR 01 = 62h ‘b’

62h XOR 03 = 61h ‘a’